000030778 - IIS agent on SharePoint Web Site only works with local browser, redirect loop from other browsers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030778
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0
Platform: VMware
Platform (Other): null
O/S Version: ESXi 5.0
Product Name: RSA-0010010
Product Description: RSA Authentication Manager
IssueSharePoint access works with RSA SecurID logon if initiated on the local Windows 2012 Server that hosts the SharePoint site, but not from anywhere else.  Remote authentication to SharePoint through SecurID causes the authentication logon page to loop, in other words as soon as the Authentication is successful, control is passed from RSA to SharePoint, at which point SharePoint rejects the authentication, with Access denied or ‘You don’t have access to this page’.  SharePoint then redirects the user back to RSA, which is the authentication page loop that we see.
RSA aceclient.log says AUTH_DONE, then builds the cookie that allows integration into SharePoint by UserID.  But the redirect to SharePoint fails, originally we though this possible because the cookie has bad or incorrect information (possibly time), or possibly because the IIS configuration has an Application Pool Identity Account that was a local account and not the Network Service Account.
http redirect, http redirects, http redirection, redirect loop, authentication loop, authentication redirect loop
CauseThe cookie passed to SharePoint contains the IP address, which only matches the IIS server host when a local browser is used
ResolutionNeed to enable the option “ Ignore Browser IP Address for Cookie Validation” on RSA web agent setup page for SharePoint site in IIS. 
The following configuration will be documented in a future release of the WebAgent_IIS guide or Release_notes. 
If the application pool of the Share Point 2013 is managed by other user (Identity) then below steps needs to be perform
1. Go to the Share Point 2013 Central Administrator Page.
2. Open Security page.
3. Click on the Configure service accounts present under the General Security which will open Service Accounts page.
There you will find five Share point related services in the list:
  a) Windows Service - Microsoft SharePoint Foundation Sandboxed Code Service
  b) Windows Service - SharePoint Server Search
  c) Web Application Pool - SharePoint - 80
  d) Service Application Pool - SharePoint Web Services Default
  e) Service Application Pool - SharePoint Web Services System
4. Now you need to give privileges to the user and this will change Identity in Application Pools in IIS.
5. How to give privileges:
  a) If the user has not been registered in share point then please register by clicking on Register new managed account.
  b) If user has already been registered then select the user from "Select an account for this component" for all the above mentioned services one by one.
  c) Save the configuration each time by clicking OK whenever you modify. Finally, just verify all the above services have been modified as per suggestion.
6. In the Connections pane of IIS Manager, double-click server_name, and click Sites > SharePoint_Site. Click on RSA SecurID from the home page. 
   Please check the option "Ignore Browser IP Address for Cookie Validation".
7. Restart the IIS.  (iisreset from CMD)
For single-sign on:
1. Perform above all the above steps.
2. Access System32 > inetsrv > config > applicationHost.config.
3. Search for the SecurIDHandler in the file and add below entry after that line:
<add name="SecurIDSSOModule" image="PATH_TO_ RSASinglesignon.dll" />,
Note: RSASinglesignon.dll can be found inside the WebAgent installation directory.
4. In the Connections pane of IIS Manager, double-click <server_name>, and click Sites > SharePoint_Site
5. In the SharePoint_Site Home pane, double-click Modules.
6. In the Action pane, click Configure Native Modules and add the SecurIDSSOModule.
7. In the Connections pane of IIS Manager, double-click server_name, and click Sites > SharePoint_Site>WebID.
8. In the WebID Home pane, double-click Modules.
9. In the Actions pane, select the SecurIDSSOModule, and click Remove.
10. Restart the IIS Web Server. (iisreset from CMD)

Attachments

    Outcomes